Bug 2348993 (CVE-2025-26699)

Summary: CVE-2025-26699 django: Potential denial-of-service vulnerability in django.utils.text.wrap()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, brking, caswilli, dnakabaa, dranck, ehelms, ggainey, gtanzill, haoli, hkataria, jajackso, jcammara, jmitchel, jneedle, jtanner, juwatts, jwong, kaycoth, kegrant, kholdawa, koliveir, kshier, lcouzens, mabashia, mhulan, mskarbek, nmoumoul, osousa, pbraun, pcreech, rchan, security-response-team, shvarugh, simaishi, smallamp, smcdonal, stcannon, teagle, tfister, thavo, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A potential denial of service vulnerability exists in django.utils.text.wrap() and the wordwrap template filter. When processing extremely long strings, these functions may cause excessive resource consumption, potentially leading to service disruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-03-06   

Description OSIDB Bzimport 2025-02-28 09:52:02 UTC 
The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
potential denial-of-service attack when used with very long strings.

Affected versions
=================

* Django main development branch
* Django 5.2 (currently at beta status)
* Django 5.1
* Django 5.0
* Django 4.2
Comment 2 errata-xmlrpc 2025-03-25 12:23:56 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:3160 https://access.redhat.com/errata/RHSA-2025:3160
Comment 3 errata-xmlrpc 2025-03-25 17:10:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:3162 https://access.redhat.com/errata/RHSA-2025:3162
Comment 4 errata-xmlrpc 2025-05-06 14:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:4553 https://access.redhat.com/errata/RHSA-2025:4553
Comment 6 errata-xmlrpc 2025-06-05 17:39:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2025:8609 https://access.redhat.com/errata/RHSA-2025:8609